Field of the Invention
The invention is in the field of computing systems and more specifically in the field of network security.
Related Art
Several approaches to controlling external access to computing networks have been developed. The goals in developing these approaches include limiting access to authorized users and assuring that computing devices employed by these users do not include malicious computing code such as viruses, worms, or Trojan horses. The need for access control has grown with users' demands for accessing secure networks over the Internet and from personal devices such as laptop computers and personal digital assistants.
A first level of access control is achieved by requiring authentication of a user. This may be accomplished by requiring the user to enter a username and password or by reading a MAC address or other identifying information from an access device. In some systems, a network switch is programmed to grant access to a secure network only after proper authentication is achieved. Systems capable of using this approach include those using a proprietary VMPS protocol from Cisco Systems, Inc. of San Jose, Calif. or using a IEEE 802.1x standard protocol.
Reliance on mere user authentication includes several disadvantages. For example, there are no provisions to assure that an access device used by the authenticated user meets network security policies. The access device may have out-of-date virus software, may have security vulnerabilities, or may be otherwise compromised. Further, this approach requires that access points (e.g., network switches) support one of a specific set of access protocols. Because many access points do not support VMPS, 802.1x, or a similar protocol, implementation of this approach on a large preexisting network, such as a corporate network, may be prohibitively expensive.
A greater level of access control may be achieved by including a gatekeeper between the secure network and the access device. The gatekeeper is configured to ensure that the access device conforms to a predetermined security policy. FIG. 1 is a block diagram of a Secure Network, generally designated 100, including two instances of a Gatekeeper 110 each associated with a different instance of an Access Point 120. Secure Network 100 further includes, as an illustrative example, a network File Server 130, a Network PC (personal computer) 140 and a Printer 150 included in and connected via, a local area network designated LAN 125.
Each instance of Access Point 120 may include a large number of individual communication ports. These ports are used to connect through GateKeeper 110 to other elements within Secure Network 100 such as File Server 130 or LAN 125. Large corporate networks may include many instances of Access Point 120, each including hundreds of individual communication ports and being associated with an instance of GateKeeper 110.
Some instances of Access Point 120 are capable of supporting virtual local area networks (VLANs). VLANs are generated by associating communication ports within Access Point 120 with separate virtual networks. For example, one Access Device 160 may be placed on a different VLAN than another Access Device 160 by assigning the communication ports of Access Point 120 to separate VLANs. From the point of view of these devices, the effect of a VLAN is equivalent to having a separate hardwired network.
GateKeeper 110 is configured to control access to Secure Network 100. In addition to authenticating users who wish to access Secure Network 100 using an Access Device 160, GateKeeper 110 is configured to ensure that Access Device 160 conforms to a predetermined security policy, before granting access to Secure Network 100. For example, GateKeeper 110 may make certain that Access Device 160 has up-to-date virus software and encryption protocols as proscribed by the security policy. Once GateKeeper 110 has verified that Access Device 160 satisfies the security policy, Access Device 160 is allowed to communicate through GateKeeper 110 to LAN 125.
A disadvantage of the use of GateKeeper 110, as practiced in the prior art, is that all communications between Access Device 160 and LAN 125 pass through GateKeeper 110. For large networks including many instances of Access Point 120, each of which may include many communication ports, this can be a significant burden. The use of one instance of GateKeeper 110 to support numerous instances of Access Device 160 is limited by bandwidth and required sophistication (e.g., cost) of GateKeeper 110. It is undesirable for GateKeeper 110 to become a limiting factor on the bandwidth of communication between instances of Access Device 160 and Secure Network 100. Further, the use of a separate GateKeeper 110 for each instance of Access Device 160 or Access Point 120 is often prohibitively expensive. Even if a separate GateKeeper is used for each Access Point 120, there is no isolation between compliant and non-compliant Access Devices 160 which are attached to the same Access Point 120.
There is, therefore, a need for improved systems and methods of controlling access to secure networks.